Cyber attackers constantly innovate their business models, use cutting edge technology and invest in areas such as marketing, says Charles Lim, industry principal of the cybersecurity practice at Frost & Sullilvan.
“Cybercriminals are embracing digital transformation,” says Lim, who spoke at the Trend Micro Cybercrime 2016 Threat Defence Summit.
''The criminals are constantly asking themselves, 'How can I be more efficient? How do I make sure that my transactions can go through and I remain anonymous on the internet?”
Cyber attackers today are professionals, he says, and are part of a very complex ecosystem.
In New Zealand he estimates cybercrime cost the economy $257 million in 2015, but this figure could be as high as $2 billion using the benchmark of 1 per cent of a nation’s GDP that is lost to cybercrime.
He explains how the cybercrime syndicates are innovating, citing their activities around ransomware.
Lim estimates ransomware has earned cybercriminals across the globe US$325 million in less than a year. “How many companies achieve that?"
The amount victims pay to have their files released could range from $10,000 to $17,000 per business, says Lim.
If you pay up they will definitely give you the key and not only will they give you the best tech support, they will give you the files, he states.
“Most of the victims do pay up, it is an instant solution.”
If you do not pay up, one group of cyberattackers will present you with a case study from a US police department. “If the US Police department is paying up, well guess what you have no choice,” he says is the message of the attackers.
Organisations that do not have backup files and decide not to pay up, may have to spend a week using pen and paper. This, he says, happened to nurses and doctors in a hospital in the US.
The other fallout is on reputation - for the organisation and the services it provides, as well as the damage to the CEO's career.
The criminals are constantly asking themselves, 'How can I be more efficient?'
Cyberattacks are bringing the conversation to the board and to senior management, he says.
He recently had a meeting with a CEO and talked to him about the risks of cyberattacks and what they have to do. The visit, he said, was initiated not by the CIO but by the CFO.
He also told the CEO they need a public relations strategy - what to say to the media in case of an attack and how to mitigate the impact to your business.
The CEO told him he has not been briefed by the marketing department on what to do in case of such a breach.
Lim says SMEs in New Zealand, which comprise up to 97 per cent of the market, potentially do not have the right cybersecurity strategy in place. He says they can access the SME toolkit provided by ConnectSmart.
As well, he notes the recent announcement of the NZ Government to invest $22.2 million from Budget 2016 to set up a new national Computer Emergency Response Team (CERT).
Here he outlines the three 'Cs' for cybersecurity for all organisations:
‘Security by design’ talks about the right tools, he says. “If you are connecting your sensors to the internet, how are you going to do that securely? If you are designing a new application for your banking and finance transactions, how are you developing that securely?"
If you are designing an app, you should be using very good procedures like secure coding and making sure you do application scanning on every single time. Do due diligence on how effective security applications are, when you outsource your application development.
Building the right prevention base is important. For organisations this could be around building a security operation centre, where people are looking at threats 24x7. SOCs, however, are expensive to maintain and require up to US$1 million to set up and need a minimum of 21 staff to operate in three shifts.
“If you do not have that level of investment and budget, consider investing in a managed service security provider which will have cybersecurity experts in place,'' Lim says.
This is the ultimate goal, he says. With protection and intelligence, you will be able to answer the question on what is your security posture, and if you can launch new services on the internet and not be disrupted by cyberattacks.
Finally, he advises organisations to collaborate and share threat intelligence. This is being done by banks, which have that level of sharing with their fellow competitors. “Talk to your peers on what you are doing.”
“If you are a CIO, create a cybersecurity committee,” he states.
Have a meeting every week with HR, operations, finance. “If you do not have a cybersecurity expert in the organisation, consider getting one,'' he says.
Uber employed the CISO of Facebook. “That is the level of investment Uber is bringing in. It sees cybersecurity as important.”
“Cybersecurity is part of that company's growth initiative for the future,” Lim says.
You need to understand who may be targeting you and why. Is it because of a new product or service?
Cyber defence: Where to invest?
Another speaker at the Cybercrime 2016 Threat Defence Summit was Suleyman Anil, head of cyber defence at the Emerging Security Challenges Division of NATO in Brussels.
He says NATO faces similar cybersecurity challenges to businesses and that cybersecurity is an integral part of NATO’s collective cyberdefence.
NATO facilitates capacity building in cybersecurity through exercises, training and awareness.
He says it is important to consider possible cybersecurity attacks and who could launch them, along with simulation training for just such an attack. A report on the simulation exercise can then evaluate the robustness of the defence responses for management.
“You will get the missing pieces by sharing information with others,” says Anil.
Partnership with industry is critical in cyber defence, he says.
“We invite the industry to participate in our cyber defence exercises.''
Industries also join cyber defence workshops and participate in the NATO cyber security incubator, which also looks at technology in early stages.
“When you are under attack you will need that partnership in place,” he says.
Anil believes there are three areas where organisations need to invest in cybersecurity.
The first is in situational awareness. Know your own data and traffic or what is expected. You need to understand who may be targeting you and why. “Is it because of a new product or service?”
The next is resiliency and this starts with an enterprise policy that is signed by your IS management. There should be investments in effective capabilities for prevention, detection, response and recovery, as well as capacity building. “What you are protecting is not only IT, but the data of your enterprise.”
The third is in partnerships. Establish partnerships with your service providers, suppliers, national stakeholders and regional and international stakeholders.
“When you are under attack, you know who to go to and how to work with them.”
A lot of companies still see the IT environment as a Mentos candy - with 'a hard shell but inside is soft and chewy' - and design IT security this way.
The cyber battlefield
A third speaker at the conference contends the IT industry is losing the battle to cybercriminals.
They are making more and more money every year but organisations also make it easy for cybercriminals in an enterprise environment, says Raimund Genes, CTO at Trend Micro Global.
The biggest problem is a lot of companies still see the IT environment as a Mentos candy - with "a hard shell but inside is soft and chewy” - and design IT security this way.
We only look at the outside in, he says. “We tend to build bigger fortresses and ignore that the gates are open.
“This outdated model doesn’t help us, it helps the attacker,” he says.
He lists the critical areas organisations need to consider:
1. A solid information security program
Auditors will ask this question, he says. “Do you have clear and published security guidelines? Do you have user education, pentesting? Do you have layered (connected) threat defence?
2. Cyber breach detection
Do you have breach detection system in place? Do you know what to do and do you have a partner to call?
3. Incident response team formation
Are team members known and trained, are they available even when there is a footie game? Do you have a coordinated response plan? “It’s time to walk with marketing,” says Genes.
4. Investigation and quick fixing
What happened and how? What data was affected? How did the intrusion take place and how do we stop it now? If data was stolen, what could they be used for? Do you need to contact law enforcement?
5. Customer notification
If records have been stolen be upfront about it, he says. "Assume the worst and communicate a worst case scenario."
He also advises informing customers about the next steps the organisation will be taking.
6. Remediation and improvement
Have a detailed analysis of potential infected systems and learn from the attack. “One month after the breach, a summary and action plan should be presented to the board,'' Genes says.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.